acme申请免费的SSL证书

1. 安装 acme.sh

curl  https://get.acme.sh | sh -s [email protected]

2. 生成证书

2021年8月1号acme.sh的默认证书签发机构由letsencrypt换成了zerossl。
使用这个命令可以切换回使用letsencrypt作为默认的签发机构

acme.sh --set-default-ca --server letsencrypt

或者手动指定

acme.sh --issue -d blog.were.moe -w /srv/http/blog.were.moe --keylength ec-256 --server letsencrypt

我这里不做修改，使用了默认的zerossl，并额外指定使用比RSA更强的ECC加密算法

#                  网站域名          网站根目录               指定使用ECC加密算法
acme.sh --issue -d blog.were.moe -w /srv/http/blog.were.moe --keylength ec-256

3. 给证书一个新家

#     证书放置的目录
mkidr /srv/http/ssl && chown nginx:nginx /srv/http/ssl
# 我的web服务器软件用的是nginx，使用chown修改目录的用户和用户组为nginx的运行组和用户

4. 复制/安装 证书（nginx）

acme.sh --install-cert -d blog.were.moe --ecc \
--key-file       /srv/http/ssl/key.pem  \
--fullchain-file /srv/http/ssl/cert.pem \
--reloadcmd     "service nginx force-reload"

5.修改nginx的配置

server {
  listen 80;
  listen 443      ssl http2 default_server;

  listen [::]:80;
  listen [::]:443 ssl http2;

  root /srv/http/blog.were.moe;
  index index.html index.htm index.php;
  charset utf-8;
  access_log /var/log/nginx/blog.were.moe.access.log main;


  ssl_certificate "/srv/http/ssl/cert.pem";      # 证书公钥路径
  ssl_certificate_key "/srv/http/ssl/key.pem";   # 证书私钥路径

  ssl_session_timeout 1d;
  ssl_session_cache shared:MozSSL:10m;
  ssl_session_tickets off;

  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  ssl_prefer_server_ciphers off;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
  add_header Strict-Transport-Security "max-age=63072000" always;

  # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
  #ssl_dhparam /path/to/dhparam;

  # OCSP stapling
  ssl_stapling on;
  ssl_stapling_verify on;

  # verify chain of trust of OCSP response using Root CA and Intermediate certs
  #ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;

  # replace with the IP address of your resolver
  resolver 8.8.8.8;

  error_page 404 /404.html;
  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
  root /usr/share/nginx/html;
}